>>OpenBSD's rm(1) does warn you when trying to delete a file that is
>>either not owned by you, not writable by you, or probably meets a list
>>of other criteria I can't think of offhand.

> > That is common rm(1) behaviour.> > With immutable files such an attempt at removing a file will> fail. So "rm -fr /" will keep the immutable files which is> a worthwhile protection.>

>>> In order to support hard immutability you can think of mechanisms like
>>> file signatures; as long as you load only pre-configured trusted modules,
>>> that is fine.

>

>>Well, as long as the kernel can be trusted to verify these signatures
>>correctly, if I understand you correctly. This is not a given.

> > When the kernel can no longer be trusted to perform such tasks it is> already compromised beyond repair.

Indeed; the point, however, was about kernel security in the face of a
root compromise. While an OpenBSD system will allow root to overwrite
/bsd and reboot (at least on the customary securelevel 1), it will not
allow root to jump to the kernel level. And rebooting might be very
undesirable for an attacker.

Clearly, allowing full access to kernel memory via /dev/*mem instantly
allows full kernel compromise; notably, allowing only trusted modules to
be loaded is not terribly useful, as attacking the trust routines might
be one of the easier things to do.

At least, I *believe* I was trying to make the above point. In any case,
I wasn't terribly clear.